No, there's no way built into IIS. There are a couple of alternatives that may meet your needs though.
The simplest is to have Web users authenticate to NT4 or Windows 2000 user accounts and enable password lockouts. After x number of unsuccessful authentication attempts, the password will be locked out. However, this solution doesn't block a user's IP address so it doesn't completely meet your needs.
It's also possible to create an ISAPI filter that intercepts incoming HTTP requests and counts the number of times requests from a given IP address include authentication information. If a specific address is attempting a brute-force attack, this ISAPI filter could manipulate the IIS metabase and institute Source-IP Filtering for that address. This meets your needs but you'll have to do some coding.
Dig deeper on Windows Operating System Management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.